Linux exploit evades security barrier

Linux exploit evades security barrier

Summary: A security hole in the Linux kernel, which allows security features in the operating system to be bypassed, affects Red Hat Enterprise Linux 5, according to a security researcher

A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.

The source code for the exploit was made available last week by researcher Brad Spengler on the Dailydave mailing list. According to the researcher, the code exploits a vulnerability in Linux version 2.6.30, and 2.6.18, and affects both 32-bit and 64-bit versions. The 2.6.18 kernel is used in Red Hat Enterprise Linux 5.

The exploit bypasses null pointer de-reference protection in the mainline kernel, which could allow an attacker to gain root control of a system, Spengler wrote.

It also uses arbitrary code execution to disable security features such as auditing, Security-Enhanced Linux (SELinux), AppArmor and Linux Security Module, while making the applications running outside the kernel believe that SELinux is still operating.

In the notes for his source code, Spengler said the exploit is strengthened if SELinux is applied to the operating system. SELinux is a set of modifications that can be applied to the kernel to harden it, by providing a set of security policies.

"Having SELinux enabled actually weakens system security for these kinds of exploits," he wrote.

Security training organization the Sans Institute called the exploit "fascinating". In a blog post on Friday, Sans Institute incident handler Bojan Zdrnja said that the exploit uses the Linux compiler to overcome the security features.

"The compiler will introduce the vulnerability to the binary code, which didn't exist in the source code," wrote Zdrnja. "This will cause the kernel to try to read/write data from 0x00000000, which the attacker can map to userland — and this finally pwns the box."

In his notes on the source code, Spengler said that a workaround would be for administrators to compile the kernel with fno-delete-null-pointer-checks.

This article was originally posted on ZDNet UK.

Topics: Linux, Open Source, Operating Systems, Security, Software

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Actually ....

    The C programming code had a check for this already in it. The COMPILER, in optimizing the code, removed the check.

    I wonder how many times this happens in all of the various compilers in the world ?
    • So the guys who compiled the Linux kernel traded security for speed?

      • No, it appears to be a compiler bug ...

        The optimization process is intended to remove unnecessary code from the binary product. In this case, it inadvertently removes critical code. It is not something that anyone has done deliberately. Its a rather typical bug, which in this case has spectacular effects. It has now been identified, fortunately by a "good guy" and will likely be patched rather quickly.
        George Mitchell
    • Compilers don't do that

      ... b/c the principle of a compiler is not to change the semantics of a program, unless it's some open source pretender compiler that, like a lot of other OSS, doesn't know what it is doing.
      • You misunderstand OSS.

        Computer code is written by people, whether OSS or in software companies. There are experts and non-experts in both. What is needed is peer review, which works much better in OSS. Don't be so silly as to think that everybody else is a dunce.
  • RE: Linux exploit evades security barrier

    Ok, now that I picked myself up off the floor from laughing so hard at just how insecure linux is (which I knew already) and how the the linux fanboys tried to convince me that it was "the safest OS on the planet" I couldn't help but laugh at them. In your face! HAH!

    This is yet another security hole in linux and you guys wonder why I would never ever run it. Its always one security issue after the other with linux. Then its compile compile compile every day just to keep it secured. I wonder if they will ever fix that pesky telnet open port issue while they are talking about security.

    I am so glad I don't run it except to test it out and that is all of a few minutes before I realize its all the same crap underneath with no improvements. This article is further proof that linux is not ready for the main stream or to be used by anyone. Not until Linus takes himself seriously and starts coding an OS what is worth a damn.
    Loverock Davidson
    • I don't wonder why you would never run it...

      since you are unlikely to try something you fear.

      Yes, I can see why you laugh as no other OS's that you may use would ever have security issues... Ever...

      I am confused though that you would go through the days of installing and compiling every package only to test for a couple minutes. You must have a lot of spare time. How in demand are your skills?
      Viva la crank dodo
    • Re:RE: Linux exploit evades security barrier

      For your information Its already patched. 2.6.31
    • WOW! Fixed Aready

      Read this story, opened Synaptic, yup... there is a patched 2.6.30 kernel waiting in the repos. Installing now.

      That wasn't a problem at all...
      Tim Patterson
      • Re: WOW! Fixed Aready

        The Distros are well aware of this. If you are
        using 2.6.29 or lower, you do not need any patch
        or something because this exploit is only on
        2.6.30 any other versions are safe.
        • Thanks

          I know.

          I'm running a lenny/squeeze/sid mix with 2.6.30-1.

          Just installed the patched kernel.

          Tim Patterson
        • Hmm where have I heard this...

          Oh yea! Now I remember. I think it was called confickr or something, wasn't it?

          "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
  • OS's, bugs, patches...and all of that.

    Okay, so can we agree now that no OS immuned to security vulnerabilities?

    • If this is the first exploit you've heard about....

      ...for Linux then I see why'd you'd make that statement. I don't think anyone in their right mind has said any OS is immune to vulnerabilities. What has been argued are the security measures in place across the different OS's. The fact that this vuln is "spectacular" some what speaks for the fact that there can be alot of security measures to get around in Linux. In this case it looks like one had to be accidentally stripped away.
      • well now...

        "I don't think anyone in their right mind has said any OS is immune to vulnerabilities."

        You better check with your PR department, cause thats what we've been hearing about OS X and Linux for a LONG time.

        "The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
        • Oh really?

          Where? Or are you somehow confusing immunity with people talking about not being able to write propagating vulnerabilities or exploit machines remotely?

          If its something that a person has to install then whats really the point? Once you get to this point the user is basically telling the computer its ok. All you can do is warn them and try to stop the program from doing things it really has no business doing.
          • Just like Vista.

            [i]If its something that a person has to install then whats really the point? Once you get to this point the user is basically telling the computer its ok.[/i]

            Glad to see you're in agreement that Vista's security is right up there with Linux.
          • I didn't say it wasn't...

            ...since they've finally started implementing things that have been in Linux for years. I'm glad to see you admit that these measures have worked. Now when MS decides to take steps along the lines of SELinux and considering an app repository to help protect their customers they'll REALLY be up there with Linux.
          • Apparently customers aren't liking SELinux

            a quote:

            ?...given the threat models and capabilities of the adversaries involved, that's probably appropriate... But that?s not necessarily appropriate for all users. SELINUX is so horrible to use, that after wasting a large amount of time enabling it and then watching all of my applications die a horrible death since they didn't have the appropriate hand-crafted security policy, caused me to swear off of it. For me, given my threat model and how much my time is worth, life is too short for SELinux.? ? Theodore Ts?o[7]
          • I've seen some that don't like it.

            I've seen some that swear by it.

            Personally I believe its before its time. There aren't much in the way of threats that it needs to thwart. I believe once you see threats coming along if ever you'll probably see something like profile repositories to keep your machine protected based on use cases.